OpenWRT & PPTPD: A Love Story

Firesheep got me thinkin’ that I should probably do a little more to beef up the security of my Internet connection on public networks. PPTP has always been a favorite of mine, because it hides traffic well enough to deter most people and it’s easy to setup on both Linux and Windows. I ran a Windows PPTP server for years, but recently decided to just host the service my WRT54GS v3 router running OpenWRT. Three hours later, I’ve got it running smoothly. Here’s how I did it:

First, I installed and setup OpenWrt Backfire 10.03 and set my internal IP pool to be on the 172.16.x net, with the gateway (OpenWRT router being 172.16.1.1). Then, I headed over to OpenWRT’s PPTPD HOW-TO.

If you compare this to the original file, you’ll notice I deleted the entry “172.16.1.1:” at the top of the file, and added the entry: ms-dns 172.16.1.1. I don’t know why, but DNS didn’t work well when the the client’s defaults were used so I forced them to use the router’s LAN DNS server.

Then I added some users to the /etc/ppp/chap-secrets file. I’ll paste the contents, then go over the details. Oh, and don’t forget to chmod 600 /etc/chap-secrets because the file’s perms are insecure by default:

The chap-secrets file alone suggests that OpenWRT/PPTP is not an enterprise solution. I wouldn’t propose it for any company with a decent budget, but times are tough and ghetto is looking better than ever to many companies.

I would actually have fewer entries in this file if the IPADDRESS field was not such a big issue. Unfortunately, it seems that the DHCP pool has been compiled into the service. It sets up the router’s pppN to be 192.168.0.x and assigns the clients a 192.168.1.x address by default. Which is unfortunate, because SO DOES EVER OTHER RESIDENTIAL ROUTER, EVER. So routing issues keep pop up. Because of that, I force PPTPD to assign each user a specific IP, in the 192.168.80.x range because I’ve never seen any router use that subnet.

The usernames are whatever you’d like them to be (I made them the name of my devices) but if you are dialing-in from a Windows machine, you will have to preface the username with the Windows domain name or the name of your workstation if you are not on a domain UPDATE: adding chapms-strip-domain to options.pptpd fixes this. The “pptp-server” is what the service was named in options.pptd, the password is just that, and the IPADDRESS is the IP that the given client will be assigned.

Initially, my /etc/firewall.user didn’t have all the proper entries, so my client was able to authenticate and all that, but no traffic was being routed to the 172.16.x subnet, nor was it being routed to the Internet. Here’s what worked:

The first block allows clients to connect to the PPTP service and the second one allows it to communicate with both the Internet and the local network. And voila, you are done. I know it seems straightforward and doesn’t deviate much for the default install, but it took over three hours of trial and error to get here. I’ve logged in successfully with an iPhone (over 3G, EDGE and wifi), an iPad, a Windows 7 machine and Mac OS X. The iPhone is of special importance to me — after connecting to a local coffee shop’s unsecured network on my laptop and my iPhone, I successfully hijacked my iPhone’s Facebook app session using FireSheep. So, now I’ll be encapsulating all of my traffic by sending it over to the fiber connection at my office, what what.

Next up, I’ll probably start playing around with the RADIUS plugin. Stay tuned.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain
RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

10 comments on “OpenWRT & PPTPD: A Love Story”

Hey Thanks for that! I've been using a script in Powershell that sets up all my users for me daily in including home folder and permissions. the only stumbling block was I had to keep going in and resetting the subfolder permissions after.

Really a good stuff.
Thanks for this small and educative tutorial
I just have a minor note:
if you do really plan a security solution for the small-to-average business, go for OpenVPN.
PopTop protocol with the MPPE algos are already broken, so if someone sniffs enough packets he’ll be able to broke it and decrypt the information.
Otherwise, use RADIUS with CHAP. But…seriously why should we need to make this to our selves when there’re so many free and good working solutions like OpenVPN.

Sad but true. I recall OpenWRT's IPSec also not getting along with the iPhone as well. I was sooo close, but there was some issue that stopped me. That was almost a year ago, so hopefully something has updated/changed. We'll see.

I'm working on a somewhat straightfoward tutorial for OpenVPN and Mac OS X right now and hope to have it published sometime this week. I ain't gonna lie, it was workaround-central but the payoff was nice.

Thank you for this very useful post. I successfully connected my iphone to my openwrt router but after a day I discovered something strange. In the system log I could see unsuccessful SSH login attempts from a foreign IP address and after a ('Shields Up') port scan from the internet side it turned out that ports 22, 80, 143, etc. become open on the WAN interface.
I'm using backfire 10.03.1. Can you please check my findings?

Hi
Firstly thakns for this great tutorial!
I would like to get use the routers IP to access to acces some pages with IP restriction from my country (i'm living in another).
How can I change firewall rules to use the IP from the router (WAN IP)? Thanks

Hi,
I am trying to follow your tutorial but I have not been able to install it as you posted.
I am using backfire 10.03.1 in which there is no kmod-crypt but kmod-crypt-core and some crypto algorithm based extra modules.